Reports and Logging. PAN-OS Administrator s Guide. Version 6.1

Transcription

1 Reports and Logging PAN-OS Administrator s Guide Version 6.1

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA About this Guide This guide takes you through the configuration and maintenance of your Palo Alto Networks next-generation firewall. For additional information, refer to the following resources: For information on how to configure other components in the Palo Alto Networks Next-Generation Security Platform, go to the Technical Documentation portal: or search the documentation. For access to the knowledge base and community forums, refer to For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to For the most current PAN-OS and Panorama 6.1 release notes, go to To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. Palo Alto Networks, Inc Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at All other marks mentioned herein may be trademarks of their respective companies. Revision Date: May 24, PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

3 Reports and Logging The firewall provides reports and logs that are useful for monitoring activity on your network. You can monitor the logs and filter the information to generate reports with predefined or customized views. You can, for example, use the predefined templates to generate reports on a user s activity or analyze the reports and logs to interpret unusual behavior on your network and generate a custom report on the traffic pattern. The following topics describe how to view, manage, customize, and generate the reports and logs on the firewall: Use the Dashboard Use the Application Command Center Use App-Scope Take Packet Captures Monitor the Firewall Forward Logs to External Services Monitor the Firewall Using SNMP Monitor the Firewall Using NetFlow NetFlow Templates Identify Firewall Interfaces in External Monitoring Systems Manage Reporting Syslog Field Descriptions Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 169

4 Use the Dashboard Reports and Logging Use the Dashboard The Dashboard tab widgets show general device information, such as the software version, the operational status of each interface, resource utilization, and up to 10 of the most recent entries in the threat, configuration, and system logs. All of the available widgets are displayed by default, but each administrator can remove and add individual widgets, as needed. Click the refresh icon to update the Dashboard or an individual widget. To change the automatic refresh interval, select an interval from the drop-down (1 min, 2 mins, 5 mins, or Manual). To add a widget to the Dashboard, click the widget drop-down, select a category and then the widget name. To delete a widget, click in the title bar. The following table describes the Dashboard widgets. Dashboard Charts Top Applications Top High Risk Applications General Information Interface Status Threat Logs Config Logs Data Filtering Logs URL Filtering Logs System Logs System Resources Logged In Admins Descriptions Displays the applications with the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk from green (lowest) to red (highest). Click an application to view its application profile. Similar to Top Applications, except that it displays the highest-risk applications with the most sessions. Displays the device name, model, PAN-OS software version, the application, threat, and URL filtering definition versions, the current date and time, and the length of time since the last restart. Indicates whether each interface is up (green), down (red), or in an unknown state (gray). Displays the threat ID, application, and date and time for the last 10 entries in the Threat log. The threat ID is a malware description or URL that violates the URL filtering profile. Displays the administrator username, client (Web or CLI), and date and time for the last 10 entries in the Configuration log. Displays the description and date and time for the last 60 minutes in the Data Filtering log. Displays the description and date and time for the last 60 minutes in the URL Filtering log. Displays the description and date and time for the last 10 entries in the System log. A Config installed entry indicates configuration changes were committed successfully. Displays the Management CPU usage, Data Plane usage, and the Session Count, which displays the number of sessions established through the firewall. Displays the source IP address, session type (Web or CLI), and session start time for each administrator who is currently logged in. 170 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

5 Reports and Logging Use the Dashboard Dashboard Charts ACC Risk Factor High Availability Locks Descriptions Displays the average risk factor (1 to 5) for the network traffic processed over the past week. Higher values indicate higher risk. If high availability (HA) is enabled, indicates the HA status of the local and peer device green (active), yellow (passive), or black (other). For more information about HA, see High Availability. Shows configuration locks taken by administrators. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 171

6 Use the Application Command Center Reports and Logging Use the Application Command Center The ACC tab visually depicts trends and historic view of traffic on your network. ACC Risk Level ACC Charts ACC Detail Pages Use the ACC 172 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

7 Reports and Logging Use the Application Command Center ACC Risk Level The ACC tab displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. Use the ACC to view application data for the past hour, day, week, month, or any custom-defined time frame. Risk levels (1=lowest to 5=highest) indicate the application s relative security risk based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 173

8 Use the Application Command Center Reports and Logging ACC Charts There are five charts displayed on the Application Command Center (ACC) tab: Application URL Filtering Threat Prevention Data Filtering HIP Matches ACC Chart Application URL Filtering Threat Prevention Description Displays application information grouped by the following attributes: Applications High risk applications Categories Sub Categories Technology Risk Each chart can include the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable. Displays URL/category information grouped by the following attributes: URL Categories URLs Blocked URL Categories Blocked URLs Each chart can include the URL, URL category, repeat count (number of times access was attempted, as applicable). Displays threat information grouped by the following attributes: Threats Types Spyware Spyware Phone Home Spyware Downloads Vulnerability Virus Each chart can include the threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable. 174 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

9 Reports and Logging Use the Application Command Center ACC Chart Data Filtering HIP Matches Description Displays information on data filtered by the firewall grouped by the following attributes: Content/File Types Types File Names Displays the host information collected by the firewall grouped by: HIP Objects HIP Profiles Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 175

10 Use the Application Command Center Reports and Logging ACC Detail Pages To view additional details, click any of the links on the ACC charts. A details page opens to show information about the item at the top and additional lists for related items. For example, click on the web-browsing link on the Application chart opens the Application Information page for web-browsing: 176 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

11 Reports and Logging Use the Application Command Center Use the ACC The following procedure describes how to use the ACC tab and how to customize your view: Use the ACC Step 1 Step 2 On the ACC, change one or more of the settings at the top of the page. Use the drop-down to select Applications, URL Categories, Threats, Content/File Types, and HIP Objects to view. Select a virtual system, if virtual systems are defined. Select a time period from the Time drop-down. The default is Last Hour. Select a sorting method from the Sort By drop-down. You can sort the charts in descending order by number of sessions, bytes, or threats. The default is by number of sessions. For the selected sorting method, select the top number of applications and application categories shown in each chart from the Top drop-down. Click the Submit icon to apply the selected settings. To open log pages associated with the information on the page, use the log links in the upper-right corner of the page, as shown here. The context for the logs matches the information on the page. Step 3 To filter the list, click an item in one of the columns, this will add that item to the filter bar located above the log column names. After adding the desired filters, click the Apply Filter icon. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 177

12 Use App-Scope Reports and Logging Use App-Scope The App-Scope reports provide visibility and analysis tools to help pinpoint problematic behavior, helping you understand changes in application usage and user activity, users and applications that take up most of the network bandwidth, and identify network threats. With the App-Scope reports, you can quickly see if any behavior is unusual or unexpected. Each report provides a dynamic, user-customizable window into the network; hovering the mouse over and clicking either the lines or bars on the charts opens detailed information about the specific application, application category, user, or source on the ACC. The App-Scope charts give you the ability to: Toggle the attributes in the legend to only view chart details that you want to review. The ability to include or exclude data from the chart allows you to change the scale and review details more closely. Click into an attribute in a bar chart and drill down to the related sessions in the ACC. Click into an Application name, Application Category, Threat Name, Threat Category, Source IP address or Destination IP address on any bar chart to filter on the attribute and view the related sessions in the ACC. Export a chart or map to PDF or as an image. For portability and offline viewing, you can Export charts and maps as PDFs or PNG images. The following App-Scope reports are available: Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report 178 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

13 Reports and Logging Use App-Scope Summary Report The App-Scope Summary report displays charts for the top five gainers, losers, and bandwidth consuming applications, application categories, users, and sources. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 179

14 Use App-Scope Reports and Logging Change Monitor Report The App-Scope Change Monitor report displays changes over a specified time period. For example, the following chart displays the top applications that gained in use over the last hour as compared with the last 24-hour period. The top applications are determined by session count and sorted by percent. The Change Monitor Report contains the following buttons and options. Button Description Determines the number of records with the highest measurement included in the chart. Determines the type of item reported: Application, Application Category, Source, or Destination. Displays measurements of items that have increased over the measured period. Displays measurements of items that have decreased over the measured period. Displays measurements of items that were added over the measured period. Displays measurements of items that were discontinued over the measured period. 180 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

15 Reports and Logging Use App-Scope Button Description Applies a filter to display only the selected item. None displays all entries. Determines whether to display session or byte information. Determines whether to sort entries by percentage or raw growth. Exports the graph as a.png image or as a PDF. Specifies the period over which the change measurements are taken. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 181

16 Use App-Scope Reports and Logging Threat Monitor Report The App-Scope Threat Monitor report displays a count of the top threats over the selected time period. For example, the following figure shows the top 10 threat types over the last 6 hours. Each threat type is color-coded as indicated in the legend below the chart. The Threat Monitor report contains the following buttons and options. Button Description Determines the number of records with the highest measurement included in the chart. Determines the type of item measured: Threat, Threat Category, Source, or Destination. Applies a filter to display only the selected type of items. Determines whether the information is presented in a stacked column chart or a stacked area chart. Exports the graph as a.png image or as a PDF. Specifies the period over which the measurements are taken. 182 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

17 Reports and Logging Use App-Scope Threat Map Report The App-Scope Threat Map report shows a geographical view of threats, including severity. Each threat type is color-coded as indicated in the legend below the chart. The firewall uses geolocation for creating threat maps. The firewall is placed at the bottom of the threat map screen, if you have not specified the geolocation coordinates (Device > Setup > Management, General Settings section) on the firewall. The Threat Map report contains the following buttons and options. Button Description Determines the number of records with the highest measurement included in the chart. Displays incoming threats. Displays outgoing threats. Applies a filter to display only the selected type of items. Zoom in and zoom out of the map. Exports the graph as a.png image or as a PDF. Indicates the period over which the measurements are taken. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 183

18 Use App-Scope Reports and Logging Network Monitor Report The App-Scope Network Monitor report displays the bandwidth dedicated to different network functions over the specified period of time. Each network function is color-coded as indicated in the legend below the chart. For example, the image below shows application bandwidth for the past 7 days based on session information. The Network Monitor report contains the following buttons and options. Button Description Determines the number of records with the highest measurement included in the chart. Determines the type of item reported: Application, Application Category, Source, or Destination. Applies a filter to display only the selected item. None displays all entries. Determines whether to display session or byte information. Exports the graph as a.png image or as a PDF. Determines whether the information is presented in a stacked column chart or a stacked area chart. Indicates the period over which the change measurements are taken. 184 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

19 Reports and Logging Use App-Scope Traffic Map Report The App-Scope Traffic Map report shows a geographical view of traffic flows according to sessions or flows. The firewall uses geolocation for creating traffic maps. The firewall is placed at the bottom of the traffic map screen, if you have not specified the geolocation coordinates (Device > Setup > Management, General Settings section) on the firewall. Each traffic type is color-coded as indicated in the legend below the chart. The Traffic Map report contains the following buttons and options. Buttons Description Determines the number of records with the highest measurement included in the chart. Displays incoming threats. Displays outgoing threats. Determines whether to display session or byte information. Zoom in and zoom out of the map. Exports the graph as a.png image or as a PDF. Indicates the period over which the change measurements are taken. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 185

20 Take Packet Captures Reports and Logging Take Packet Captures PAN-OS supports packet capture for troubleshooting or detecting unknown applications. You can define filters such that only the packets that match the filters are captured. The packet captures are locally stored on the device and are available for download to your local computer. Packet Capture is for troubleshooting only. This feature can cause the system performance to degrade and should be used only when necessary. Remember to disable the feature after you complete the packet capture. The following table describes the packet capture settings on Monitor > Packet Capture. Field Manage Filters Filtering Pre-Parse Match Description Click Manage Filters, click Add to add a new filter, and specify the following information: Id Enter or select an identifier for the filter. Ingress Interface Select the firewall interface. Source Specify the source IP address. Destination Specify the destination IP address. Src Port Specify the source port. Dest Port Specify the destination port. Proto Specify the protocol to filter. Non-IP Choose how to treat non-ip traffic (exclude all IP traffic, include all IP traffic, include only IP traffic, or do not include an IP filter). IPv6 Select the check box to include IPv6 packets in the filter. Click to toggle the filtering selections on or off. Click to toggle the pre-parse match option on or off. The pre-parse-match option is added for advanced troubleshooting purposes. After a packet enters the ingress port, it proceeds through several processing steps before it is parsed for matches against pre-configured filters. It is possible for a packet, due to a failure, to not reach the filtering stage. This can occur, for example, if a route lookup fails. Set the pre-parse-match setting to ON to emulate a positive match for every packet entering the system. This allows the firewall to capture even the packets that do not reach the filtering process. If a packet is able to reach the filtering stage, it is then processed according to the filter configuration and discarded if it fails to meet filtering criteria. 186 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

21 Reports and Logging Take Packet Captures Field Packet Capture Description Click to toggle packet capturing on or off. For anti-spyware and vulnerability protection profiles, you can enable extended packet captures for rules and exceptions defined in the profile. This functionality allows the firewall to capture from 1 to 50 packets and provides more context when analyzing the threat logs. To define the extended packet capture length: 1. Select Device > Setup > Content-ID. 2. Edit the Threat Detection Settings section to specify the Capture Length for the number of packets to capture. 3. View the packet capture in Monitor > Logs > Threat. Locate the threat log entry and click the green arrow (Packet Capture) icon in the corresponding row to view the capture. Packet Capture Stage Captured Files Clear All Settings Select Add and specify the following: Stage Indicate the point at which to capture the packet: drop When packet processing encounters an error and the packet is to be dropped. firewall When the packet has a session match or a first packet with a session is successfully created. receive When the packet is received on the dataplane processor. transmit When the packet is to be transmitted on the dataplane processor. File Specify the capture file name. The file name should begin with a letter and can include letters, digits, periods, underscores, or hyphens. Packet Count Specify the number of packets after which capturing stops. Byte Count Specify the number of bytes after which capturing stops. Select Delete to remove a packet capture file from the list displaying captured files. Select Clear All Settings to clear all packet capture settings. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 187

22 Monitor the Firewall Reports and Logging Monitor the Firewall The following sections describe the methods you can use to monitor the firewall and provide basic setup instructions: Monitor Applications and Threats Monitor Log Data Monitor the Dashboard View Reports You can also configure the firewall (excluding PA-4000 Series and PA-7050 firewalls) to export flow data to a NetFlow collector for analysis and reporting. To configure NetFlow Settings, refer to the PAN-OS Web Interface Reference Guide. 188 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

23 Reports and Logging Monitor the Firewall Monitor Applications and Threats All Palo Alto Networks next-generation firewalls come equipped with the App-ID technology, which identifies the applications traversing your network, irrespective of protocol, encryption, or evasive tactic. You can then Use the Application Command Center to monitor the applications. ACC graphically summarizes the log database to highlight the applications traversing your network, who is using them, and their potential security impact. ACC is dynamically updated, using the continuous traffic classification that App-ID performs; if an application changes ports or behavior, App-ID continues to see the traffic, displaying the results in ACC. You can quickly investigate new, risky, or unfamiliar applications that appear in ACC with a single click that displays a description of the application, its key features, its behavioral characteristics, and who is using it. Additional visibility into URL categories, threats, and data provides a complete and well-rounded picture of network activity. With ACC, you can very quickly learn more about the traffic traversing the network and then translate that information into a more informed security policy. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 189

24 Monitor the Firewall Reports and Logging Monitor Log Data All Palo Alto Networks next-generation firewalls can generate log files that provide an audit trail of the activities and events on the firewall. There are separate logs for separate types of activities and events. For example, the Threat logs record all traffic that causes the firewall to generate a security alarm, URL Filtering logs record all traffic that matches a URL Filtering profile attached to a security policy, and Config logs record all changes to the firewall configuration. You can either Forward Logs to External Services or you can view logs locally on the device as follows: View the Log Files Filter Log Data View the Log Files The firewall maintains logs for WildFire, configurations, system, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile (HIP) matches. You can view the current logs at any time. To locate specific entries, you can apply filters to most of the log fields. The firewall displays the information in logs so that role-based administration permissions are respected. When you display logs, only the information that you have permission to see is included. For information on administrator permissions, see Administrative Roles. By default all log files are generated and stored locally on the firewall. You can view these log files directly (Monitor > Logs): To display additional details, click the spyglass icon for an entry. 190 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

25 Reports and Logging Monitor the Firewall The following table includes information on each log type: Log Description Charts Traffic Description Displays an entry for the start and end of each session. Each entry includes the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason. Click next to an entry to view additional details about the session, such as whether an ICMP entry aggregates multiple sessions between the same source and destination (the Count value will be greater than one). The Type column indicates whether the entry is for the start or end of the session, or whether the session was denied or dropped. A drop indicates that the security rule that blocked the traffic specified any application, while a deny indicates the rule identified a specific application. If traffic is dropped before the application is identified, such as when a rule drops all traffic for a specific service, the application is shown as not-applicable. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 191

26 Monitor the Firewall Reports and Logging Log Description Charts Threat URL Filtering WildFire Submissions Data Filtering Configuration System HIP Match Description Displays an entry when traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection) that is attached to a security policy on the firewall. Each entry includes the date and time, a threat name or URL, the source and destination zones, addresses, and ports, the application name, and the alarm action (allow or block) and severity. Click next to an entry to view additional details about the threat, such as whether the entry aggregates multiple threats of the same type between the same source and destination (the Count value will be greater than one). The Type column indicates the type of threat, such as virus or spyware. The Name column is the threat description or URL, and the Category column is the threat category (such as keylogger ) or URL category. If local packet captures are enabled, click next to an entry to access the captured packets. To enable local packet captures, see Take Packet Captures. Displays logs for all traffic that matches a URL Filtering profile attached to a security policy. For example, if policy blocks access to specific web sites and web site categories or if policy is configured to generate an alert when a web site is accessed. For information on defining URL filtering profiles, see URL Filtering. Displays logs for files that are uploaded and analyzed by the WildFire cloud; log data is sent back to the device after analysis, along with the analysis results. Displays logs for the security policies that help prevent sensitive information such as credit card or social security numbers from leaving the area protected by the firewall. See Set Up Data Filtering for information on defining data filtering profiles. This log also shows information for file-blocking profiles. For example, if you are blocking.exe files, the log will show the files that were blocked. If you forward files to WildFire, you will see the results of that action. In this case, if you are forwarding PE files to WildFire, for example, the log will show that the file was forwarded and will also show the status on whether or not it was uploaded to WildFire successfully. Displays an entry for each configuration change. Each entry includes the date and time, the administrator username, the IP address from where the change was made, the type of client (XML, Web or CLI), the type of command executed, whether the command succeeded or failed, the configuration path, and the values before and after the change. Displays an entry for each system event. Each entry includes the date and time, the event severity, and an event description. Displays traffic flows that match a HIP Object or HIP Profile that you have configured. Filter Log Data Each log page has a filter area at the top of the page. Use the filter area as follows: 192 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

27 Reports and Logging Monitor the Firewall Click any of the underlined links in the log listing to add that item as a log filter option. For example, if you click the Host link in the log entry for and Web Browsing, both items are added, and the search will find entries that match both (AND search). To define other search criteria, click Add Log Filter. Select the type of search (and/or), the attribute to include in the search, the matching operator, and the values for the match, if appropriate. Click Add to add the criterion to the filter area on the log page, and then click Close to close the pop-up window. Click Apply Filter to display the filtered list. If the Value string matches an Operator (such as has or in), enclose the string in quotation marks to avoid a syntax error. For example, if you filter by destination country and use IN as a Value to specify INDIA, enter the filter as ( dstloc eq "IN" ). You can combine filter expressions added on the log page with those you define in the Add Log Filter dialog. The filter field on the log page displays each filter as an entry. If you add a Receive Time filter with the Operator set to in and the Value set to Last 60 seconds, some of the page links on the log viewer might not show results because the number of pages might grow or shrink due to the dynamic nature of the selected time. To clear filters and redisplay the unfiltered list, click Clear Filter. To save your selections as a new filter, click Save Filter, enter a name for the filter, and click OK. To export the current log listing (as shown on the page, including any applied filters) click Save Filter. Select whether to open the file or save it to disk, and select the check box if you want to always use the same option. Click OK. To export the current log listing in CSV Format, select the Export to CSV icon. By default, exporting the log listing to CSV format generates a CSV report with up to 2,000 rows of logs. To change the limit for rows displayed in CSV reports, use the Max Rows in CSV Export field on the Log Export and Reporting tab (select Device > Setup > Management > Logging and Reporting Settings). To change the automatic refresh interval, select an interval from the drop-down (1 min, 30 seconds, 10 seconds, or Manual). To change the number of log entries per page, select the number of rows from the Rows drop-down. Log entries are retrieved in blocks of 10 pages. Use the paging controls at the bottom of the page to navigate through the log list. Select the Resolve Hostname check box to begin resolving external IP addresses to domain names. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 193

28 Monitor the Firewall Reports and Logging Monitor the Dashboard You can also monitor the local log data directly from the Dashboard by adding the associated widgets: 194 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

29 Reports and Logging Monitor the Firewall View Reports The firewall also uses the log data to generate reports (Monitor > Reports) that display the log data in a tabular or graphical format. See About Reports for more details on the predefined and custom reports available on the firewall. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 195

30 Forward Logs to External Services Reports and Logging Forward Logs to External Services Depending on the type and severity of the data in the log files, you may want to be alerted to critical events that require your attention, or you may have policies that require you to archive the data for longer than it can be stored on the firewall. In these cases you will want to forward your log data to an external service for archive, notification, and/or analysis. To forward log data to an external service you must complete the following tasks: Configure the firewall to access the remote services that will be receiving the logs. See Define Remote Logging Destinations. Configure each log type for forwarding. See Enable Log Forwarding. For traffic and threat logs, enabling log forwarding includes setting up a log forwarding profile or a default log forwarding profile. For details, see Log Forwarding Profiles. 196 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

31 Reports and Logging Forward Logs to External Services Define Remote Logging Destinations In order to reach an external service such as a Syslog server or SNMP trap manager the firewall must know the details of how to access and, if necessary, authenticate to the service. On the firewall, you define this information in a Server Profile. You must create a Server Profile for each external service you want the firewall to interact with. The type of logging destinations you need to set up and which logs you forward will depend on your needs. Some common log forwarding scenarios include the following: For immediate notification about critical system events or threats that require your attention, you can generate SNMP traps or send alerts. See Set Up Alerts and/or Set Up SNMP Trap Destinations. For long-term storage and archival of data and for centralized device monitoring, you can send the log data to a Syslog server. See Define Syslog Servers. This enables integration with third-party security monitoring tools, such as Splunk! or ArcSight. You can also secure the channel between the firewall and the Syslog server. See Configure the Firewall to Authenticate to the Syslog Server. For aggregation and reporting of log data from multiple Palo Alto Networks firewalls, you can forward logs to a Panorama Manager or Panorama Log Collector. See Enable Log Forwarding. You can define as many Server Profiles as you need. For example, you could use separate Server Profiles to send traffic logs to one Syslog server and system logs to a different one. Or, you could include multiple server entries in a single Server Profile to enable you to log to multiple Syslog servers for redundancy. By default, all log data is forwarded over the MGT interface. If you plan to use an interface other than MGT, you will need to configure a Service Route for each service to which you plan to forward logs as described in Step 5 in the procedure to Set Up Network Access for External Services. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 197

32 Forward Logs to External Services Reports and Logging Set Up Alerts Set Up Alerts Step 1 Step 2 Step 3 Create a Server Profile for your server. (Optional) Customize the format of the messages the firewall sends. Save the server profile and commit your changes. 1. Select Device > Server Profiles > Click Add and then enter a Name for the profile. 3. (Optional) Select the virtual system to which this profile applies from the Location drop-down. 4. Click Add to add a new server entry and enter the information required to connect to the Simple Mail Transport Protocol (SMTP) server and send (you can add up to four servers to the profile): Server Name to identify the mail server (1-31 characters). This field is just a label and does not have to be the host name of an existing SMTP server. Display Name The name to show in the From field of the . From The address where notification s will be sent from. To The address to which notification s will be sent. Additional Recipient If you want the notifications sent to a second account, enter the additional address here. You can only add one additional recipient. To add multiple recipients, add the address of a distribution list. Gateway The IP address or host name of the SMTP gateway to use to send the s. 5. Click OK to save the server profile. Select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide. 1. Click OK to save the profile. 2. Click Commit to save the changes to the running configuration. Set Up SNMP Trap Destinations Simple Network Management Protocol (SNMP) is a standard facility for monitoring the devices on your network. You can configure the firewall to send SNMP traps to your SNMP management software to alert you to critical system events or threats that require your immediate attention. You can also use SNMP to monitor the firewall. In this case, your SNMP manager must be configured to get statistics from the firewall rather than (or in addition to) having the firewall send traps to the manager. For more information, see Configure the Firewall to Authenticate to the Syslog Server. 198 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

33 Reports and Logging Forward Logs to External Services Set Up SNMP Trap Destinations Step 1 (SNMP v3 only) Get the engine ID for the firewall. In many cases, the MIB browser or SNMP manager will automatically discover the engine ID upon successful connection to the SNMP agent on the firewall. You can usually find this information in the agent settings section of the interface. Refer to the documentation for your specific product for instructions on finding the agent information. In order to find out the firewall s engine ID, you must configure the firewall for SNMP v3 and send a GET message from your SNMP manager or MIB browser as follows: 1. Enable the interface to allow inbound SNMP requests: If you will be receiving SNMP GET messages on the MGT interface, select Device > Setup > Management and click to Edit in the Management Interface Settings section of the screen. In the Services section, select the SNMP check box and then click OK. If you will be receiving SNMP GET messages on a different interface, you must associate a management profile with the interface and enable SNMP management. 2. Configure the firewall for SNMP v3 as described in Step 2 in Set Up SNMP Monitoring. If you do not configure the firewall for SNMP v3, your MIB browser will not allow you to GET the engine ID. 3. Connect your MIB browser or SNMP manager to the firewall and run a GET for OID The value that is returned is the unique engine ID for the firewall. Step 2 Create a Server Profile that contains the information for connecting and authenticating to the SNMP manager(s). 1. Select Device > Server Profiles > SNMP Trap. 2. Click Add and then enter a Name for the profile. 3. (Optional) Select the virtual system to which this profile applies from the Location drop-down. 4. Specify the version of SNMP you are using (V2c or V3). 5. Click Add to add a new SNMP Trap Receiver entry (you can add up to four trap receivers per server profile). The required values depend on whether you are using SNMP V2c or V3 as follows: SNMP V2c Server Name to identify the SNMP manager (1-31 characters). This field is just a label and does not have to be the host name of an existing SNMP server. Manager The IP address of the SNMP manager to which you want to send traps. Community The community string required to authenticate to the SNMP manager. SNMP V3 Server Name to identify the SNMP manager (1-31 characters). This field is just a label and does not have to be the host name of an existing SNMP server. Manager The IP address of the SNMP manager to which you want to sent traps. User The username required to authenticate to the SNMP manager. EngineID The engine ID of the firewall, as identified in Step 1. This is a hexadecimal value from 5 to 64 bytes with a 0x prefix. Each firewall has a unique engine ID. Auth Password The password to be used for authnopriv level messages to the SNMP manager. This password will be hashed using Secure Hash Algorithm (SHA-1), but will not be encrypted. Priv Password The password to be used for authpriv level messages to the SNMP manager. This password be hashed using SHA and will be encrypted using Advanced Encryption Standard (AES 128). 6. Click OK to save the server profile. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 199

34 Forward Logs to External Services Reports and Logging Set Up SNMP Trap Destinations (Continued) Step 3 (Optional) Set up a service route for SNMP traps. By default, SNMP traps are sent over the MGT interface. If you want to use a different interface for SNMP traps, you must edit the service route to enable the firewall to reach your SNMP manager. See Set Up Network Access for External Services for instructions. Step 4 Commit your changes. Click Commit. The device may take up to 90 seconds to save your changes. Step 5 Enable the SNMP manager to interpret the traps it receives from the firewall. Load the PAN-OS MIB files into your SNMP management software and compile them. Refer to the documentation for your SNMP manager for specific instructions on how to do this. Define Syslog Servers Syslog is a standard log transport mechanism that enables the aggregation of log data from different network devices such as routers, firewalls, printers from different vendors into a central repository for archive, analysis, and reporting. The firewall generates six types of logs that can be forwarded to an external syslog server: traffic, threat, WildFire, host information profile (HIP) match, config, and system. If you want to forward all or some of these logs to an external service for long-term storage and analysis, you can use TCP or SSL for reliable and secure transport of logs, or UDP for non-secure transport. 200 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

35 Reports and Logging Forward Logs to External Services Set Up Syslog Forwarding Step 1 Create a Server Profile that contains the information for connecting to the Syslog server(s). 1. Select Device > Server Profiles > Syslog. 2. Click Add and then enter a Name for the profile. 3. (Optional) Select the virtual system to which this profile applies from the Location drop-down. 4. Click Add to add a new Syslog server entry and enter the information required to connect to the Syslog server (you can add up to four Syslog servers to the same profile): Name Unique name for the server profile. Server IP address or fully qualified domain name (FQDN) of the Syslog server. Transport Select TCP, UDP, or SSL as the method of communication with the syslog server. Port The port number on which to send Syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the Syslog server. Format Select the Syslog message format to use, BSD or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP/SSL. For setting up secure syslog forwarding with client authentication, see Configure the Firewall to Authenticate to the Syslog Server. Facility Select one of the Syslog standard values, which is used to calculate the priority (PRI) field in your Syslog server implementation. You should select the value that maps to how you use the PRI field to manage your Syslog messages. 5. (Optional) To customize the format of the Syslog messages the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide. 6. Click OK to save the server profile. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 201

36 Forward Logs to External Services Reports and Logging Set Up Syslog Forwarding (Continued) Step 2 (Optional) Configure the header format used in Syslog messages. Choosing the header format offers more flexibility in filtering and reporting on the log data for some SIEMs. This is a global setting and applies to all syslog server profiles configured on the appliance. 1. Select Device > Setup > Management and click the Edit icon in the Logging and Reporting Settings section. 2. Select Log Export and Reporting. 3. Select one of the following options from the Send Hostname in Syslog drop-down: FQDN (the default) Concatenates the hostname and domain name defined on the sending device. hostname Uses the hostname defined on the sending device. ipv4-address Uses the IPv4 address of the interface used to send logs on the device. By default, this is the MGT interface of the device. ipv6-address Uses the IPv6 address of the interface used to send logs on the device. By default, this is the MGT interface of the device. none Leaves the hostname field unconfigured on the device. There is no identifier for the device that sent the logs. 4. Click OK and Commit. Step 3 Commit your changes. Click Commit. The device may take up to 90 seconds to save your changes. Step 4 Enable log forwarding. See Enable Log Forwarding. You must configure each log type for forwarding and specify the severity for which the event is logged. WildFire logs are a type of threat log, but they are not logged and forwarded along with threat logs. While WildFire logs use the same syslog format as threat logs, the threat subtype is preset to WildFire. Therefore, you must enable logging/forwarding for WildFire logs distinctly from threat logs. Step 5 Review the logs on the syslog server. To parse the logs, see Syslog Field Descriptions. Configure the Firewall to Authenticate to the Syslog Server To enable client authentication for syslog over SSL, you can use a trusted CA or a self-signed CA for generating certificates that can be used for secure syslog communication. Check for the following when generating a certificate for secure syslog communication: The private key must be available on the sending device; the keys cannot be stored on a Hardware Security Module (HSM). The subject and the issuer for the certificate must not be identical. 202 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.

37 Reports and Logging Forward Logs to External Services The certificate is neither a trusted CA nor a certificate signing request (CSR). Neither of these types of certificates can be enabled for secure syslog communication. Configure the Firewall to Authenticate to the Syslog Server Step 1 If the syslog server requires client authentication, generate the certificate for secure communication. For details on certificates, see Certificate Management. To verify that the sending device is authorized to communicate with the syslog server, you must enable the following: The server and the sending device must have certificates that are signed by the Enterprise CA; or you can generate a self-signed certificate on the firewall, export the CA root certificate from the firewall and import it in to the syslog server. Use the Enterprise CA or the self-signed certificate to generate a certificate with the IP address of the sending device (as the Common Name) and enabled for use in secure syslog communication. The syslog server uses this certificate to verify that the firewall is authorized to communicate with the syslog server. Use the following steps to generate the certificate on the firewall or Panorama: 1. Select Device > Certificate Management > Certificates > Device Certificates. 2. Click Generate to create a new certificate that will be signed by a trusted CA or the self-signed CA. 3. Enter a Name for the certificate. 4. In Common Name, enter the IP address of the device sending logs to the syslog server. 5. Select Shared if you want the certificate to be a shared certificate on Panorama or to be shared by all virtual systems in a multiple virtual system firewall. 6. In Signed by, select the trusted CA or the self-signed CA that is trusted by both the syslog server and the sending device. 7. Click Generate. The certificate and the keypair will be generated. 8. Click the link with name of the certificate and enable the Certificate for Secure Syslog option for secure access to the syslog server. 9. Commit the changes. 10. Verify the certificate details and that it is marked for Usage as Certificate for Secure Syslog. Palo Alto Networks, Inc. PAN-OS 6.1 Administrator s Guide 203

38 Forward Logs to External Services Reports and Logging Enable Log Forwarding After you create the Server Profiles that define where to send your logs (see Define Remote Logging Destinations), you must enable log forwarding. For each log type, you can specify whether to forward it to Syslog, , SNMP trap receiver, and/or Panorama. Before you can forward log files to a Panorama Manager or a Panorama Log Collector, the firewall must be configured as a managed device. You can then enable log forwarding to Panorama for each type of log. For logs forwarded to Panorama, support for centralized log forwarding to an external syslog server is available. You can use Secure Copy (SCP) commands from the CLI to export the entire log database (logdb) to an SCP server and import it to another firewall: refer to the PAN-OS Command Line Interface (CLI) Reference Guide. Because the log database is too large for an export or import to be practical on the following platforms, they do not support these options: PA-7050 firewall (all PAN-OS releases), Panorama virtual appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama releases). The way you enable forwarding depends on the log type: Traffic Logs You enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects > Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded. For details on setting up a log forwarding profile, see Log Forwarding Profiles. Threat Logs You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects > Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). For details on setting up a log forwarding profile, see Log Forwarding Profiles. The following table summarizes the threat severity levels: Severity Critical High Medium Low Description Serious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims and the target does not need to be manipulated into performing any special functions. Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access. In addition, WildFire Submissions log entries with a malware verdict are logged as Medium. Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage. Data Filtering profile matches are logged as Low. 204 PAN-OS 6.1 Administrator s Guide Palo Alto Networks, Inc.